Quote:"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."edit: i keep screwing up the quote tags

No, actually Google did people a favor going public with this since this was being actively exploited but Chrome protects against it. I already use chrome as my main browser but if I was using a different one I'd switch to chrome till a windows update is released protecting against this.

If this were something that no one knew about until Google let it loose, then I'd question their motive. But Microsoft has evidence that this has been used recently and may still be being used, and they want to cry foul on Google? BS. You don't get to patch your fancy new system and then get mad when the secret gets out that everyone else is vulnerable. Get a patch out, if possible, and quit whining.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Actively exploited by an APT-labeled group is different from active exploitation on a mass exploitation.

The vulnerability was limited to a specific group utilizing it against specific targets. By skirting coordination with Microsoft and releasing info on the vulnerability without a patch, exploit kit writers/bad actors are now aware of where their efforts should be placed.

I hope you don't have relatives that maybe susceptible to drive by exploits via I.E./Edge/Chrome on anything pre-Win10.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Actively exploited by an APT-labeled group is different from active exploitation on a mass exploitation.

The vulnerability was limited to a specific group utilizing it against specific targets. By skirting coordination with Microsoft and releasing info on the vulnerability without a patch, exploit kit writers/bad actors are now aware of where their efforts should be placed.

I hope you don't have relatives that maybe susceptible to drive by exploits via I.E./Edge/Chrome on anything pre-Win10.

Google didn't tell anyone how to take advantage of the exploit they merely announced that the exploit is out there and that Chrome on Windows 10 protects against it.

Ahh I kinda take that back, Google did give out some specifics on it but I still feel it was the right thing to do.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Actively exploited by an APT-labeled group is different from active exploitation on a mass exploitation.

The vulnerability was limited to a specific group utilizing it against specific targets. By skirting coordination with Microsoft and releasing info on the vulnerability without a patch, exploit kit writers/bad actors are now aware of where their efforts should be placed.

I hope you don't have relatives that maybe susceptible to drive by exploits via I.E./Edge/Chrome on anything pre-Win10.

Skirting coordination with Microsoft?

Read the previous article on this about how Google advise was being ignored by Microsoft.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Actively exploited by an APT-labeled group is different from active exploitation on a mass exploitation.

The vulnerability was limited to a specific group utilizing it against specific targets. By skirting coordination with Microsoft and releasing info on the vulnerability without a patch, exploit kit writers/bad actors are now aware of where their efforts should be placed.

I hope you don't have relatives that maybe susceptible to drive by exploits via I.E./Edge/Chrome on anything pre-Win10.

Skirting coordination with Microsoft?

Read the previous article on this about how Google advise was being ignored by Microsoft.

Ignored? It takes more than 7 days to push out a patch for a core OS piece. It's not Adobe Flash that can be updated in a moment. And people have taken Microsoft to task about poor update quality recently. Plus, if Chrome and Edge are already protected against this, that's a decent chunk of users okay when we're talking about

Remember the initial attempt to patch Heartbleed failed because it was rushed and fixed nothing? Do we want that again?

From what I understand, Microsoft was working on something. And next week is Patch Tuesday. If Microsoft didn't have something ready for an out-of-band patch, it likely would have ended up in next Tuesday's releases. The reason people are calling out Google again is that Google frequently discloses Windows vulnerabilities right before Microsoft fixes the issue. For things that are not critical, Microsoft has had Patch Tuesday for over a decade. Its one of the few major software vendors with a dedicated release schedule for these kinds of things. But Google seems to ignore it a lot, and it feels nothing but targeting the rivalry between the companies by disclosing it just before Microsoft can release a patch.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Difference between Russia having nuclear weapons and your neighborhood crazy building a dirty bomb....Anyone targeted by state actors is already hacked or has defenses to guard against such intrusions.This is a dick move unless Google has emails from Microsoft where they refused to fix it in a reasonable time. Turns out they were going to fix it in 8 additional days which is very reasonable. Fixing multiple versions of Windows used in diverse environments is not the same as fixing Chrome.

If this were something that no one knew about until Google let it loose, then I'd question their motive. But Microsoft has evidence that this has been used recently and may still be being used, and they want to cry foul on Google? BS. You don't get to patch your fancy new system and then get mad when the secret gets out that everyone else is vulnerable. Get a patch out, if possible, and quit whining.

The fact that the exploit is used, doesn't mean it is widely used against regular Windows users. Now as Google published it, every random hacker can use it.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Actively exploited by an APT-labeled group is different from active exploitation on a mass exploitation.

The vulnerability was limited to a specific group utilizing it against specific targets. By skirting coordination with Microsoft and releasing info on the vulnerability without a patch, exploit kit writers/bad actors are now aware of where their efforts should be placed.

I hope you don't have relatives that maybe susceptible to drive by exploits via I.E./Edge/Chrome on anything pre-Win10.

Skirting coordination with Microsoft?

Read the previous article on this about how Google advise was being ignored by Microsoft.

Ignored? It takes more than 7 days to push out a patch for a core OS piece. It's not Adobe Flash that can be updated in a moment. And people have taken Microsoft to task about poor update quality recently. Plus, if Chrome and Edge are already protected against this, that's a decent chunk of users okay when we're talking about

Remember the initial attempt to patch Heartbleed failed because it was rushed and fixed nothing? Do we want that again?

From what I understand, Microsoft was working on something. And next week is Patch Tuesday. If Microsoft didn't have something ready for an out-of-band patch, it likely would have ended up in next Tuesday's releases. The reason people are calling out Google again is that Google frequently discloses Windows vulnerabilities right before Microsoft fixes the issue. For things that are not critical, Microsoft has had Patch Tuesday for over a decade. Its one of the few major software vendors with a dedicated release schedule for these kinds of things. But Google seems to ignore it a lot, and it feels nothing but targeting the rivalry between the companies by disclosing it just before Microsoft can release a patch.

Let me quote Google for you:

Quote:

Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management.

Microsoft could have managed the situation by just putting out an advisory: "There is a critical active exploit in the wild. Currently, using Chrome or Edge on Windows 10 mitigates it. We have a patch planned for Patch Tuesday. We will release additional details then."

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Neel Mehta and Billy Leonard of Google’s Threat Analysis Group.”This vulnerability is particularly serious because we know it is being actively exploited.”

Microsoft needs to stop trying to call Google's bluff, and just announce a goddamn workaround when these things come up.

Serious problem but I did get a laugh out of Microsoft's Terry Myerson comment:

"... encouraged customers to upgrade to Windows 10 for protection from further advanced threats."

They never stop pushing that Win 10 upgrade. And really, who can protect from future and unknown 'further advanced threats'?

Windows versions older than Windows 10 are rapidly approaching "Only security updates" and Windows 7 has been there for years. There also comes a point where "Only security updates" are meaningless when the primary weakness is fundamental to the fact the older software is running an obsolete core-kernel-level, never-to-be-patch-or-updated-ever-because-its-out-of-scope vulnerability. It's like how Windows 7 could protect you against things that Windows XP had no hope of doing simply because it was newer even though XP was still under updates. At this point Windows 7 is to Windows 10 where Windows XP was to Windows 7 in 2010.

If you didn't update, fine. Don't blame Microsoft when you're running a nearly decade old operating system that doesn't have as many low-level, intrinsic to newer technology security updates. Especially when you were too paranoid to take it when they were literally falling head over heals to give it away to anyone who wanted it.

And yes, paranoid. Clinically, paranoid. My wife works in a mental hospital with patients who complain about the CIA listening to their thoughts on their teeth and they're less delusional paranoid than people I've seen on here ranting against Windows 10

If this were something that no one knew about until Google let it loose, then I'd question their motive. But Microsoft has evidence that this has been used recently and may still be being used, and they want to cry foul on Google? BS. You don't get to patch your fancy new system and then get mad when the secret gets out that everyone else is vulnerable. Get a patch out, if possible, and quit whining.

The fact that the exploit is used, doesn't mean it is widely used against regular Windows users. Now as Google published it, every random hacker can use it.

This & other posts consistently spark strongly worded, diametrically opposed, comments on whether security researchers are being either "conscientiously responsible" OR "recklessly irresponsible" in their vulnerability disclosure practices.

Are there no well regarded industry organizations that prepare & publish best practices addressing responsible disclosure of vulnerabilities? The only references I was able to find quickly refer to CERTs & CSIRTs, but these appear to be smaller groups with a relatively tight focus, many in number & not formally affiliated within any broader industry context.

I've had the impression that 30 days from notifying the "owner" of a newly discovered vulnerability before its wider public disclosure was "generally" considered both reasonable & responsible, (but circumstances may dictate a shorter window). It would appear, though, that every security researcher/team sets their own "standard" for what is reasonable & responsible?

Serious problem but I did get a laugh out of Microsoft's Terry Myerson comment:

"... encouraged customers to upgrade to Windows 10 for protection from further advanced threats."

They never stop pushing that Win 10 upgrade. And really, who can protect from future and unknown 'further advanced threats'?

Windows versions older than Windows 10 are rapidly approaching "Only security updates" and Windows 7 has been there for years. There also comes a point where "Only security updates" are meaningless when the primary weakness is fundamental to the fact the older software is running an obsolete core-kernel-level, never-to-be-patch-or-updated-ever-because-its-out-of-scope vulnerability. It's like how Windows 7 could protect you against things that Windows XP had no hope of doing simply because it was newer even though XP was still under updates. At this point Windows 7 is to Windows 10 where Windows XP was to Windows 7 in 2010.

If you didn't update, fine. Don't blame Microsoft when you're running a nearly decade old operating system that doesn't have as many low-level, intrinsic to newer technology security updates. Especially when you were too paranoid to take it when they were literally falling head over heals to give it away to anyone who wanted it.

And yes, paranoid. Clinically, paranoid. My wife works in a mental hospital with patients who complain about the CIA listening to their thoughts on their teeth and they're less delusional paranoid than people I've seen on here ranting against Windows 10

Well, with people's homes becoming a part of Botnet Central and HP previously 'updating' their inkjets to not allow 3rd party cartridges as well as new hacking stories every day, what's one more vulnerability? People are going to start getting numb over all of this.

Makes sense. Sad thing about device guard/credential guard is you can't run VMWare Workstation if you have them enabled. Both are virtialzation based and require Hyper-V installed. Hyper-V then seizes VT-x and Workstation shits the bed. Already submitted a feature request because it's kind of shitty that you have to choose between security or running workstation (yes I know you could use hyper-v, but it's just not the same).

Serious problem but I did get a laugh out of Microsoft's Terry Myerson comment:

"... encouraged customers to upgrade to Windows 10 for protection from further advanced threats."

They never stop pushing that Win 10 upgrade. And really, who can protect from future and unknown 'further advanced threats'?

Windows versions older than Windows 10 are rapidly approaching "Only security updates" and Windows 7 has been there for years. There also comes a point where "Only security updates" are meaningless when the primary weakness is fundamental to the fact the older software is running an obsolete core-kernel-level, never-to-be-patch-or-updated-ever-because-its-out-of-scope vulnerability. It's like how Windows 7 could protect you against things that Windows XP had no hope of doing simply because it was newer even though XP was still under updates. At this point Windows 7 is to Windows 10 where Windows XP was to Windows 7 in 2010.

By definition a security vulnerability will be provided with a security update through the end-of-life of both Windows 7 and 8. While they may choose a method of resolving the vulnerability that's less than ideal as the OS ages, they won't leave a known update hanging while they're pledged to support security vulnerabilities.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Actively exploited by an APT-labeled group is different from active exploitation on a mass exploitation.

The vulnerability was limited to a specific group utilizing it against specific targets. By skirting coordination with Microsoft and releasing info on the vulnerability without a patch, exploit kit writers/bad actors are now aware of where their efforts should be placed.

I hope you don't have relatives that maybe susceptible to drive by exploits via I.E./Edge/Chrome on anything pre-Win10.

Skirting coordination with Microsoft?

Read the previous article on this about how Google advise was being ignored by Microsoft.

Ignored? It takes more than 7 days to push out a patch for a core OS piece. It's not Adobe Flash that can be updated in a moment. And people have taken Microsoft to task about poor update quality recently. Plus, if Chrome and Edge are already protected against this, that's a decent chunk of users okay when we're talking about

Remember the initial attempt to patch Heartbleed failed because it was rushed and fixed nothing? Do we want that again?

From what I understand, Microsoft was working on something. And next week is Patch Tuesday. If Microsoft didn't have something ready for an out-of-band patch, it likely would have ended up in next Tuesday's releases. The reason people are calling out Google again is that Google frequently discloses Windows vulnerabilities right before Microsoft fixes the issue. For things that are not critical, Microsoft has had Patch Tuesday for over a decade. Its one of the few major software vendors with a dedicated release schedule for these kinds of things. But Google seems to ignore it a lot, and it feels nothing but targeting the rivalry between the companies by disclosing it just before Microsoft can release a patch.

Patch Tuesday is a convenience, both for Microsoft and for the end user. It's not a "we can only do it on the second Tuesday of the month" kind of thing. It's a "this is when you can expect them, so be ready".

There's nothing at all difficult for them to push an out-of-schedule patch - especially if it's as critically needed as this one appears to be.

Google had told Microsoft about it ten days before the announcement, which is their policy to do for EVERYONE. Microsoft has the damned source code for Windows, so if anyone can knock out a patch in 10 days or less, it's them. IIRC, there was something about them laying off a bunch of coders not long ago (It could have been another company), but either way, Microsoft is big enough to have dealt with this and pushed a patch BEFORE that 10 days was up, out of cycle or not.

Them whining about what Google did is rather disingenuous when everyone in the industry knows how Google's zero-day exploit notification system works. For whatever reason, Microsoft did not respond in a timely fashion to a critical flaw. Tossing the "blame" back on Google, especially when the exploit was ALREADY BEING USED in the wild, is just a blame game tactic to make people not notice their own lack of action on the issue.

Google threw Microsoft the ball with the same speed and power as they do everyone all the time, and when Microsoft dropped it, they're complaining it was Google's fault.

anyone feel like every story on ars is blurring into another. Google releasing zero days that are being used on windows to hack DNC emails during the election so that wikileaks can embarrass clinton? We just need a Mars and west world connection somewhere and the writers can set a bot to write the headlines while they go on vacation.

Quote:"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."edit: i keep screwing up the quote tags

No, actually Google did people a favor going public with this since this was being actively exploited but Chrome protects against it. I already use chrome as my main browser but if I was using a different one I'd switch to chrome till a windows update is released protecting against this.

I would appreciate if Google would stop doing the public such "favors".

Before their "favor" the public was at risk from being attacked by Fancy Bear. A state actor. Now the public at risk of being attacked by any bad actor that read their disclosure.

How are customers put at increased risk by being notified about a vulnerability that is already being ACTIVELY EXPLOITED?

It seems like the opposite might be true if folks were extra-vigilant or attempted to implement mitigation as a result of this knowledge.

Actively exploited by an APT-labeled group is different from active exploitation on a mass exploitation.

The vulnerability was limited to a specific group utilizing it against specific targets. By skirting coordination with Microsoft and releasing info on the vulnerability without a patch, exploit kit writers/bad actors are now aware of where their efforts should be placed.

I hope you don't have relatives that maybe susceptible to drive by exploits via I.E./Edge/Chrome on anything pre-Win10.

Skirting coordination with Microsoft?

Read the previous article on this about how Google advise was being ignored by Microsoft.

Ignored? It takes more than 7 days to push out a patch for a core OS piece. It's not Adobe Flash that can be updated in a moment. And people have taken Microsoft to task about poor update quality recently. Plus, if Chrome and Edge are already protected against this, that's a decent chunk of users okay when we're talking about

Remember the initial attempt to patch Heartbleed failed because it was rushed and fixed nothing? Do we want that again?

From what I understand, Microsoft was working on something. And next week is Patch Tuesday. If Microsoft didn't have something ready for an out-of-band patch, it likely would have ended up in next Tuesday's releases. The reason people are calling out Google again is that Google frequently discloses Windows vulnerabilities right before Microsoft fixes the issue. For things that are not critical, Microsoft has had Patch Tuesday for over a decade. Its one of the few major software vendors with a dedicated release schedule for these kinds of things. But Google seems to ignore it a lot, and it feels nothing but targeting the rivalry between the companies by disclosing it just before Microsoft can release a patch.

Patch Tuesday is a convenience, both for Microsoft and for the end user. It's not a "we can only do it on the second Tuesday of the month" kind of thing. It's a "this is when you can expect them, so be ready".

There's nothing at all difficult for them to push an out-of-schedule patch - especially if it's as critically needed as this one appears to be.

Google had told Microsoft about it ten days before the announcement, which is their policy to do for EVERYONE. Microsoft has the damned source code for Windows, so if anyone can knock out a patch in 10 days or less, it's them. IIRC, there was something about them laying off a bunch of coders not long ago (It could have been another company), but either way, Microsoft is big enough to have dealt with this and pushed a patch BEFORE that 10 days was up, out of cycle or not.

Them whining about what Google did is rather disingenuous when everyone in the industry knows how Google's zero-day exploit notification system works. For whatever reason, Microsoft did not respond in a timely fashion to a critical flaw. Tossing the "blame" back on Google, especially when the exploit was ALREADY BEING USED in the wild, is just a blame game tactic to make people not notice their own lack of action on the issue.

Google threw Microsoft the ball with the same speed and power as they do everyone all the time, and when Microsoft dropped it, they're complaining it was Google's fault.

I don't see how it is.

"Knocking out a patch" seems like a poor way to deliver a security fix. Rushing could make things worse, cause other problems, etc.

Having a rigid consistent policy isn't a valid defense when the rigidness and details of that policy are at issue. If the policy creates additional security concerns that didn't previously exist, that is a worthwhile discussion to have, and cannot be dismissed out of hand.

As has been explained many times, just because one entity knows of a threat doesn't imply everyone does. Especially for a state actor, they may well be hoarding their vulnerabilities. So there is a set of tradeoffs: If you announce, people who might be targets of the state actor--but who haven't yet been attacked--may be able to protect themselves. Or the state actor accelerates their attacks to make use of the vulnerability while it still exists and before people can respond. And then a race is on for others to find and use the exploit too, whose range of targets is likely very different from said state actor, thus opening new people (especially less tech savvy people) to attack from this vector.

So announcing may cause tech-savvy and people thought to be targets to harden themselves, though the targets may already be owned, but now the vulnerability is going to become widespread and more numerous, less tech-savvy targets will be targeted whose only real protection is the patch that hasn't yet been released.

Before "state actors" were a thing, finding an exploit in the wild probably meant it was in some exploit kit among the hacker community, which could be assumed to be in wide use or soon will be anyway. The same properties won't be true for suspected state actors.

Serious problem but I did get a laugh out of Microsoft's Terry Myerson comment:

"... encouraged customers to upgrade to Windows 10 for protection from further advanced threats."

They never stop pushing that Win 10 upgrade. And really, who can protect from future and unknown 'further advanced threats'?

Windows versions older than Windows 10 are rapidly approaching "Only security updates" and Windows 7 has been there for years...

So, I should upgrade to Win 10, instead of this Linux machine I'm typing on and I'll be safe? /s

However, there's no such safety and security as long as we're connected to the Internet. As has been pointed out many times, the defender and defence system has to be perfect all the time, the nefarious hacker only has to succeed once. No matter how much I know and learn about all of this, there's no way to keep up with it all and defend against all current and future threats regardless of what O/S or computer I have. There's far too many vulnerabilities and more are discovered all the time as well as people who are far more knowledgeable about computers and hacking that I'll ever be or want to be.

As far as Win 10 goes, if I ever build another computer that has to have Windows to run specific software, I'll purchase it and install it (probably grudgingly).

Quote:"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."edit: i keep screwing up the quote tags

No, actually Google did people a favor going public with this since this was being actively exploited but Chrome protects against it. I already use chrome as my main browser but if I was using a different one I'd switch to chrome till a windows update is released protecting against this.

Quote:"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."edit: i keep screwing up the quote tags

No, actually Google did people a favor going public with this since this was being actively exploited but Chrome protects against it. I already use chrome as my main browser but if I was using a different one I'd switch to chrome till a windows update is released protecting against this.

And thats why they did this.

I highly doubt that. I know it's tempting to see Google as a monolithic company with tightly aligned interests - but I find that *quite* unlikely. And the group of people they have employed in their Threat Analysis Group in particular are not known for all that many commercial considerations.